Re: [Doh] [Ext] Servers offering responses for domaines they are not responsible for
Eliot Lear <lear@cisco.com> Mon, 06 November 2017 04:57 UTC
Return-Path: <lear@cisco.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB49313FAFE for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 20:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaEmIK7zK8xa for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 20:57:46 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C30613FAFB for <doh@ietf.org>; Sun, 5 Nov 2017 20:57:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2684; q=dns/txt; s=iport; t=1509944266; x=1511153866; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=ugJZU+xUcfrPeWcaMy0eUiCP8VG3FUjWzvk9rko9SNs=; b=lMmcUchZ1dmkjLfkYd12vlIH74CxX70FaC2Wzq0p4J34391KzEcoEeEx shYMFvd/pLESn6OtmpXxx6e8YRxpJMvO7567LDSUjcHOWHwoN8sOnTNrK CZpgsFIBbWQL050utac9QDPuhsQ8GoZbsKrfNkyLSWeDou6bUh76x5xDe 4=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CiAQDa6v9Z/xbLJq1cGQEBAQEBAQEBAQEBBwEBAQEBhQaEJIsTj3smmFcHA4U7AoUZFQEBAQEBAQEBAWsohR8BBAEjVgULC0ICAlcGAQwIAQGKFwiqIYIniwYBAQEBAQEBAQEBAQEBAQEBAQERD4MuhWwLgnaEe4MrgmIFog6EQoIjjhcCi3aHPJYWgTk1IoFsNCEIHRWDLoMQgU9AjRgBAQE
X-IronPort-AV: E=Sophos;i="5.44,351,1505779200"; d="asc'?scan'208";a="42004"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2017 04:57:44 +0000
Received: from [10.61.224.245] ([10.61.224.245]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id vA64vhqC027195; Mon, 6 Nov 2017 04:57:43 GMT
To: Paul Hoffman <paul.hoffman@icann.org>, "doh@ietf.org" <doh@ietf.org>
Cc: Mark Nottingham <mnot@mnot.net>
References: <16B93F04-FE24-4C61-94F3-87EF7707F10E@vpnc.org> <E304CB00-95E6-4868-B3C4-FDF4049F6492@mnot.net> <1819FF02-9147-48A8-867E-82BA58AC332A@icann.org>
From: Eliot Lear <lear@cisco.com>
Message-ID: <06878054-f48c-0877-d556-a108a6241d01@cisco.com>
Date: Mon, 06 Nov 2017 05:57:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <1819FF02-9147-48A8-867E-82BA58AC332A@icann.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="2T134KpqloUdSKwiMm8lNsVRUSiUnJGL3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/28fE9gd00xlootfeggLWVfNATW0>
Subject: Re: [Doh] [Ext] Servers offering responses for domaines they are not responsible for
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 04:57:48 -0000
Hi Paul, > In fact, I don't understand Eliot's concern here. DNS recursive resolvers (which is what a DOH server would be fronting for) are not "responsible for domains". Authoritative servers are responsible for domains. > > Eliot: can you say more about your concern here? Sure. DNS-based load balancing mechanisms assume that the source of a query is going to be proximate to the originator. Use of DoH may upset that assumption. In the extreme case, imagine having just one DoH caching resolver out there, and all queries flowing to it, from anywhere in the world. Especially if it is caching, any number of queries would end up returning addresses that are local to that one DoH server and not to the originator. I mentioned authority here only in as much as I don't care what a DoH server does for services that are related to it, but if they are not, and if it really is just acting as a caching resolver, then this issue comes into play. Eliot
- [Doh] Servers offering responses for domaines the… Paul Hoffman
- Re: [Doh] Servers offering responses for domaines… Mark Nottingham
- Re: [Doh] [Ext] Servers offering responses for do… Paul Hoffman
- Re: [Doh] [Ext] Servers offering responses for do… Eliot Lear
- Re: [Doh] [Ext] Servers offering responses for do… Martin Thomson
- Re: [Doh] [Ext] Servers offering responses for do… Eliot Lear
- Re: [Doh] Servers offering responses for domaines… Eliot Lear
- Re: [Doh] Servers offering responses for domaines… Andrew Sullivan
- Re: [Doh] Servers offering responses for domaines… Eliot Lear